Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/20/2017
10:30 AM
Oliver Rochford
Oliver Rochford
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Ways to Retain Security Operations Staff

Finding skilled security analysts is hard enough. Once you do, you'll need to fight to keep them working for you. These tips can help.

The shortfall in security professionals, and most notably security operations center (SOC) analysts, has been well documented. However, hiring skilled security analysts is only part of the problem. Even if an organization is able to recruit security analysts, retaining them in the long term is an even greater challenge. The foundational market forces of supply and demand enable these professionals to easily jump ship, often achieving a higher salary and title in the process.

During my time at Gartner, informal feedback I received from managed security service providers (MSSP) indicated that the average retention period for a junior SOC analyst was between 12 and 18 months. It's important to bear in mind that MSSPs are generally able to offer a better career advancement path for SOC employees than most enterprises.

Nevertheless, using the right techniques, retention can be improved. Here are the top three ways to attract and retain SOC analysts.

1. Convert Roles to Duties, and Then Rotate Them
The primary roles in a SOC, with some variation, are shown in Figure 1.

Figure 1.

Role

Duties

Tier 1

Alert queue monitoring, incident qualification, triage and escalation

Tier 2

Incident investigation, remediation advice

Tier 3

Detection and use case optimization, hunting and investigation, threat intelligence analysis

The greatest mistake organizations make is defining these as fixed roles (jobs). Tier 1 work is repetitive and monotonous, and intellectually unchallenging. In addition, anyone who has ever stared at an alert console for months on end can attest to the fact that it also conditions analysts to pay less attention, which has a negative impact on effectiveness and efficiency.

Meanwhile, staff retention in Tier 2 and Tier 3 roles is higher, which results in fewer new openings and promotion opportunities for junior analysts. Once junior analysts have successfully worked in a SOC for 12 months or more, they can easily find more senior roles with another organization.

Each one of the Tier 1 through 3 roles can easily be rotated, with analysts working in each position for one-week intervals. This approach distributes both the interesting and tedious work across the team, which improves alertness and provides everyone the opportunity to perform some intellectually challenging and interesting work.

In addition to increasing retention, this rotation provides every analyst the opportunity to become familiar with the various roles required to operate a SOC. This cross-functional training helps mitigate skills gaps and maintain operational continuity if someone leaves the organization or is on paid time off.

2. Offer Phased Training and Certifications
Providing training certifications is another great retention mechanism, if offered based on employment tenure. For example, a new analyst may be offered a certification course such as the GIAC Certified Intrusion Analyst after 6 months of active employment, the GIAC Forensic Analyst after 12 months, and the GIAC Certified Forensic Examiner after 24 months.

I've used GIAC here as an example, but SANS and other companies also offer similar courses. Correctly applied, such a system can help increase analyst retention rates from 12 to 18 months to up to 5 years. Alternatively, analysts across a team can be provided different certification courses in each phase. This will ensure that the team has a broad and comprehensive skill set, and the analysts that have attended a given course can train the remainder of the team to transfer knowledge.

Figure 2. Example Training Plans

 

Employment Time

Analyst 1

Analyst 2

Analyst 3

Analyst 4

6 months

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

12 Months

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

24 Months

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

36 Months

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

48 Months

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

3. Offer Step-up Retention Bonuses

Offering increasing retention bonuses for each year of employment rewards analysts for their loyalty and gives them an incentive to stay with the organization. The increase from an entry-level to a midcareer level analyst is between 20% to 30%, so a good bonus strategy will ensure that a similar increase is achieved over a 3- to 5-year period.

In combination, these three strategies can significantly improve and increase SOC analyst retention, reduce the cost of recruiting and training new analysts, and minimize the negative impact of employee turnover on operations.

Related Content:

Oliver Rochford is the Vice President of Security Evangelism at DFLabs. He previously worked as research director for Gartner, and is a recognized expert on threat and vulnerability management, cybersecurity monitoring and operations management. Oliver has also been a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Syberguy
50%
50%
Syberguy,
User Rank: Apprentice
12/7/2017 | 5:23:46 AM
Re: Timely, and yet...
I agree, but this issue has been around in other industries for some time now; Whereby employers (organizations) are more focused on the bottom line and short term gains as well as pleaseing the stakeholders and bord members than actually engaging with their internal staff. This, in addition to pay, vacation, life balance, hours of work, environment and politics, adds fuel of discontentment throught the departments.

As an industry collaborator in various fields of IT and Healthcare, I see this trend continuing, especially with the added contridiction of contract work rather than employment.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 4:16:07 PM
Re: Excellent article - applies to a number of different jobs
@REISEN: Also, it helps people learn the business -- and, assuming other things go well in the employer-employee relationship -- gets the employee more invested in the success of the company. I've seen that phenomenon work wonders, myself.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 4:10:13 PM
Timely, and yet...
This is a great flip on a common theme in this sector: the dreaded "talent shortage" in cybersecurity.

Alas, it is hard for information-security professionals to feel any sense of attachment or loyalty to their employers if employers don't demonstrate loyalty or attachment in turn. When companies turn to cheap offshore or H1-B/L1 Visa labor and/or outsource to low-bidding vendors for strategic functions that should really be internal, one would be foolish to expect anything other than their cybersecurity personnel to be frequently updating their resume and shopping it around.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:28:39 PM
Re: Excellent article - applies to a number of different jobs
"more knowledge to learn - more stuff to do!  Paying off in many ways. "
This makes sense, when people build knowledge they feel more secure since they can find positions somewhere else easily.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:26:59 PM
Re: Excellent article - applies to a number of different jobs
"I recently left a nice paying job with no future and no learning"

We experience this a lot. It is not only money anymore, people are looking for satisfaction from their jobs.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:25:27 PM
Re: Excellent article - applies to a number of different jobs
" It is LEARNING new items"

Agree. Learning new things keep people busy and engaged.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:23:56 PM
Re: Excellent article - applies to a number of different jobs
" it fits for any number of corporate position and not just in IT alone"

I agree with this. It is hard to keep retention rate high in IT but also in other departments in the organization today.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:22:40 PM
3 simple steps
These 3 simple steps are quite well thought. Simple and effective I would say.
DonHarper
50%
50%
DonHarper,
User Rank: Apprentice
11/23/2017 | 4:44:09 PM
Re: Excellent article - applies to a number of different jobs
Great move you did there. Respect it.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
11/21/2017 | 8:40:47 AM
Excellent article - applies to a number of different jobs
If one takes the security aspect out of this essay, it fits for any number of corporate position and not just in IT alone.  You have to rotate staff in a department to cross-train and have people available not only for emergency fill-in when needed but for intellectual stimulation.  It is LEARNING new items that IT people and subset Security staff feel they have a good chair at the table.  Otherwise, they find another table in another restaurant.  I recently left a nice paying job with no future and no learning to move to a forensics department with far better salary BUT ALSO  more knowledge to learn - more stuff to do!  Paying off in many ways. 
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13096
PUBLISHED: 2019-07-22
TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/shared_prefs/<wallet-name>.xml to gain unauthorized access.
CVE-2019-13097
PUBLISHED: 2019-07-22
The application API of Cat Runner Decorate Home version 2.8.0 for Android does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. Attackers can manipulate users' score parameters exchanged between client and server.
CVE-2019-10102
PUBLISHED: 2019-07-22
OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. The impact is: Possible code execution and confirmed Denial of Service. The component is: DcmRLEDecoder::decompress() (file dcrledec.h, line 122). The attack vector is: Many scenarios of DICOM file processing (e.g. DICOM to image conver...
CVE-2019-12326
PUBLISHED: 2019-07-22
Missing file and path validation in the ringtone upload function of the Akuvox R50P VoIP phone 50.0.6.156 allows an attacker to upload a manipulated ringtone file, with an executable payload (shell commands within the file) and trigger code execution.
CVE-2019-13100
PUBLISHED: 2019-07-22
The Send Anywhere application 9.4.18 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user via /data/data/com.estmob.android.sendanywhere/shared_prefs/sendanywhere_device.xml.